Haproxy custom acl whitelist IP restrict alias backend specific block reject others
xanaro last edited by xanaro
I am looking for a way to allow access to certain backends only to certain IP addresses or networks, I am trying to find information that shows/tells how to do this.
I have 10+ backends configured, I have a shared https front end with SSL offloading. I have all the additional certificates added and the Add ACL for certificate subject alternative names checked.
Websites Front end uses the shared https front end has a very simple Access Control List.
then bellow in actions:
This setup has been great because it ties in nicely with pfsense ACME certificates, previously I did all of this on an nginx reverse proxy, this is much simpler.
On the frontend access control list I am using "Host Matches" but I can see that I could change that to "Source IP matches IP or Alias"
Unfortunately I am not sure how to combine the two.("Host Matches" AND "Source IP matches IP or Alias") I have searched google, reddit, and this forum. and there has not been any clear cut examples of how to accomplish this.
My understanding so far is that I would goto the HAProxy main "Settings" tab, scroll to the bottom and add some custom code to the Global Advanced pass thru.
The other problem I am faced with is that most of the IP filtering I have seen appears to use mode: TCP but my front end is using mode: HTTP, so it may not be compatible code....
I REALLY REALLY appreciate any help if anyone can give some pointers, examples, or snippets.
xanaro last edited by
UPDATE: figured this out thanks to the HAProxy forum.
On your frontends define more than one ACL such as:
host1 host matches: host1.example.com adminIPs Source IP matches Ip or Alias: 111.222.333.444
In the above we have two ACLs: host1 and adminIPs, for the adminIPs you can reference a pfsense alias instead of hard coding an IP if you need it to apply to more than one IP.
now below for the Action:
action: Use Backend
acl names: adminIPs host1
by defining both ACLs it should only forward to the backend if both acls are true.
@xanaro I created an account just to thank you for this. This saved me a ton of time!
xanaro last edited by
@tomschlick No problem! I was having trouble finding examples of this in any of the documentation myself, its not entirely obvious that you can simply specify more than one ACL in the Haproxy action table. So I myself was trying to figure this out and luckily somebody answered my question on HAProxy forums.
I will add to this that if you reference a pfsense alias that you have to restart the haproxy service if you add any additional entries to the alias, at least this seems to be the behavior I was noticing.